Labeled NFS/Demo

From SELinux Wiki
Jump to: navigation, search

The goal of the demonstration is to show passing of security labels over NFSv4 in a configuration similar to what might be found in a typical enterprise environment. Modern enterprise environments provide a number of centralized services for authentication and authorization, directory services, and network storage of user data, which are provided by the server component of the demonstration. These common services are provided using the following packages:

  • Authentication Services - Kerberos
  • Directory Services / Authorization Services - OpenLDAP
  • Centralized User Data Storage - NFSv4

The client component of the demonstration utilizes these services to provide users with login access. Automated installation scripts allow clients to be rapidly installed and configured, differing only by the client kerberos credentials. The demonstration user will be able to access each client, with his or her user data available on each system.

Mandatory access controls are enforced on both the client and server in Multi Layer Security mode using SELinux.

NFS, Network File System

The NFS service enables files to be accessible across a network domain. The NFS service will provide user data directories (e.g. home directories). It will allow users to access their files from anywhere within the demo enterprise network.

NFS is a commonly used to provide distributed file services within enterprise networks. Using it for the network's user directories provides for:

  • Centralized file control
  • User based access control
  • Easier data protection
    • Backups
    • Recovery
    • Integrity
  • Centralized access control
  • User mobility between hosts within the enterprise (i.e. users access files from any machine)

NFS is standard on most Unix/Linux distributions. It is also supported by Microsoft Windows, OS X, and other operating systems.

Modifed Kernel for NFS

Support for labeled files was added to the NFS version 4 client and server. Label management interfaces are provided and the mounted file system functions as any other local, labeled file system.

Kerberos Authentication Service

Kerberos is an authentication system for distributed systems. Its use in the demo is to provide authentication services for access to the client hosts and the NFS and LDAP servers.

As Security is a key part of this NFS demo, Kerberos was chosen for its ability to provide an enterprise level authentication system. Kerberos has a number of qualities that lends itself to this:

  • Integrates easily with NFS
  • It is a mature service used in many enterprises
  • Designed to be secure within open networks
  • Support for Kerberos exists on almost all major platforms
    • Unix/NetBSD/Linux Kerberos is integrated into many popular distributions (and some embedded Linux OS's.
    • default authentication within the Windows family of clients/servers since Windows 2000 Professional/Server.
    • default authentication product in Mac OS X.
    • SUN
    • Cisco
  • It is an open standard, IETF RFC 1510.

LDAP, Lightweight Directory Access Protocol

LDAP is a simple network accessible directory service. It is used in this demo is to provide the user information necessary for client machines to perform user logins and mount the NFS provided home directories. More specifically, the LDAP server provides to the client machines:

  • user name, uid, gid
  • home directory locations
  • login shell

The combination of these three services provide an example of a secure network file system that would be acceptable for a contemporary enterprise.

For the demo, the servers will most likely all run on the same host and there will be 1+ client hosts using the servers' services.


SELinux policy and configuration changes are required on both the client and server for all of the services to function properly together. Supplementary SELinux policy modules were developed for installation on the NFS server to augment the stock policy package. On the client several booleans needed to be turned on to allow the client side services to interact properly.


The server SELinux policy is largely a stock Fedora policy package, with some custom policy to address some issues with the stock policy that prevent RPC and NFS services from functioning properly. The stock policy defines domains and types for the network services that limit access only to required system resources for normal configurations and to contain failures. Additional SELinux policy rules were added to permit access to resources beyond those granted in the stock Fedora policy. The server policy source RPM contains source for the following policies:

  • sefosrpc - Additional rules to permit portmap to bind to network ports and for creation of a socket file in /var/run.
  • sefosnfsserver - Additional rules to permit the creation and management of files in /var/lib/nfs, and allow the starting/stopping of services required for NFS (nfsd, rpc.gssd, idmapd, etc).

Another policy module (sefosexports) is required to grant the kernel NFS server access to the file types being exported. The set of types allowed for export is fairly minimal, by default. It includes the following types:

  • Read-Only Directories
    • mnt_t - The NFS server requires at least read access to the parent directories of an exported directory. In the demonstration /mnt/export/home is exported, and as /mnt is of type mnt_t, read only access is required.
    • home_root_t - This is the type of /home (and /mnt/export/home as it is /home via a local bind mount). In the demonstration user creation (and thus the creation of their home directories) is performed locally on the NFS server, so read-only and not read-write access is required by the NFS server.
  • Read-Write Directories and Files
    • user_home_t - User files are by default of type user_home_t. Read-write access is required for remote users to create and manage files.


The client SELinux policy is a stock Fedora policy package. Three booleans are enabled to allow Kerberos, NFS and RPC GSSD to function properly. The three SELinux booleans are:

  • allow_kerberos - required for client-side Kerberos to function properly
  • allow_gssd_read_tmp - required for RPC GSSD to read cached Kerberos credentials in /tmp (for passing credentials between NFS client and server)
  • use_nfs_home_dirs - allow home directories (/home) to be mounted via NFS

Under the hood

Once the demo is setup, what happens when a user logs in?

If it the demo was setup properly, and the right username and password are used, the user should be able to login through GDM and have their home directory mounted with a normal and functional GNOME session initiated. Under the covers a complex series of steps involving Kerberos, RPC services, LDAP, automount and NFS that ensures authentication of the user as well as client and server systems and services. In a nutshell, here are the important steps that occur during a 'normal' user login:

  1. User account information is pulled from the LDAP server.
    1. Using the supplied username the server returns available account related information (UID, GID, shell, home dir, etc.)
  2. User authentication is provided through PAM, which is configured to use Kerberos
    1. Prior to acquiring the user Kerberos ticket, the client and server systems mutually authenticate to ensure the correct systems are being involved in the authentication steps.
    2. Assuming the correct password is supplied, the client system is able to authenticate the user and caches the users Kerberos credentials for later use.
  3. User home directories are mounted via NFSv4 by automount.
    1. Automount attempts to mount the users home directory and RPC GSSD provides the user's cached Kerberos credentials to the NFS server as only authenticated users are allowed to mount exported shares.
    2. UID/GID -> user name/group name mapping information (provided by the LDAP server) is used to associated user names with the UIDs and GIDs denoting ownership of the mounted files and directories. This information is used by the operating system to enforce discretionary access controls.
    3. The NFS client and server exchange security labels to allow SELinux to appropriately label files and enforce mandatory access controls.

More specific information describing how the services on the clients and servers interact, and mapping between different service namespaces can be found here:

Service Interaction and User Name Mapping


Information helpful for troubleshooting issues is included in-line in the manual installation instructions and at the end of the automated installation.


Binary packages are compiled for Fedora Core 9 systems using the Intel x86 architecture. Source RPMS are available (but not tested) for use on other releases or architectures.

The most recent versions of the packages binary packages and kickstart files are:

Source RPMs and older binary packages are available at the same location: